ARE PASSWORDS REALLY THAT DIFFICULT?
When it comes to creating passwords for social networks, business [to a lesser extent] or more alarmingly e-commerce programs, most Web users seem to have gotten lazy. That’s the (not particularly shocking) news last month from Web security firm Imperva, which examined data uncovered in a recent breach of a site called RockYou.com: users are simply continuing to ignore experts’ advice.
Fortunately, or not depending on your perspective, there is no paucity of advice on the subject of password selection and protection offered by computer and information security (CIS) experts and analysts – and even though that advice has been around for even as long as a couple of decades now, it is continually evolving.
And yet there will likely be no changes in users’ behavior even with the recent news of the intrusion into web company RockYou and the subsequent pilfering and posting of approximately 32 million user passwords: security analysts were alarmed to find a continuing trend in password choices: one out of five Web users still decides to leave the digital equivalent of a key under the doormat – they choose simple, weak, easily guessed passwords like “abc123,” “iloveyou” or even “password” to protect their data.
There are even some experts like Cormac Herley, Principle Researcher at Microsoft Research who are suggesting that the burden is just too high for users and that it might be entirely rational to reject the experts advice.
It appears Herley might be correct in his assertion [spelled out in detail in his paper] that statistically the overall costs to all users exceeds the relative benefits to the few who might be harmed, yet none of us would appreciate being counted among the statistical few who are indeed compromised.
Vigilance over our digital data is mandatory and the advice offered by experts is valid, but I agree with the assertion made by Herley that the blame lies not with the pallid behavior of computer users, but rather with the complex and incoherent burdens placed upon individual users. More directly: the blame lies with the security experts and the burdens they place upon us.
In order to fix this apparent hole from an individual users point of view there needs to be a universal solution that is far easier to enact than what is about to follow. The human factor is truly security’s weakest link.
Data security firm Imperva has revealed hopeless log-in behavior after analyzing 32 million passwords revealed in a rockyou.com breach.
The firm has produced a report: Consumer Password Worst Practices. According to Imperva, the ten most commonly [worst] used passwords were:
123456, 12345, 123456789, Password, iloveyou, princess, rockyou, 1234567, 12345678, and abc123
“I guess it’s just a genetic flaw in humans,” speculates Amichai Shulman, the chief technology officer at Imperva, which makes software for blocking hackers. “We’ve been following the same patterns since the 1990s.”
“More disturbing,” said Mr. Shulman, “was that about 20 percent of people on the RockYou list picked from the same, relatively small pool of 5,000 passwords.”
Some Web sites utilize practices designed to thwart attackers by freezing an account for a certain period of time if too many incorrect passwords are typed. But experts say that the hackers simply learn to ‘trick’ the system, by making guesses at an acceptable rate, for instance.
Another ‘trick’ is accessing users data in ways that entirely circumvent password choices altogether such as the breach of RockYou: weak passwords notwithstanding – the breach of RockYou was not a series of attacks on each of the 32 million user accounts, using for example, a brute force attack. The breach of RockYou was made using an SQL injection exploit, one which took advantage of a trivial SQL injection vulnerability, and a technique that has been well documented for over a decade. The method of vulnerability is extremely basic in execution, yet catastrophic in impact: in one fell swoop the entire database was to be had with this relatively trivial attack.
To improve security, some Web sites enforce policies that require users to mix letters, numbers and even symbols in their passwords. Others, like Twitter, prevent people from picking common passwords.
But bowing to the apparent reality of our overcrowded brains, the experts are offering this simple bit of advice: that everyone choose at least two different passwords — a complex one for Web sites were security is vital, such as banks and e-mail, and a simpler one for places where the stakes are lower, such as social networking and entertainment sites.
“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second – 1,000 accounts every 17 minutes,” explained Imperva’s CTO Amichai Shulman. “The data provides a unique glimpse into the way that users select passwords and an opportunity to evaluate the true strength of passwords as a security mechanism. Never before has there been such a high volume of real-world passwords to examine.”
Some key findings of the Imperva study include:
1. The shortness and simplicity of passwords that many users select for credentials means that they leave themselves susceptible to basic forms of cyber attacks known as “brute force attacks.”
2. Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits, adjacent keyboard keys, and so on).
3. Of the 32 million passwords, more than 290,000 were 12345
4. 20% of the passwords were common names and slang or easily remembered number combinations
- “Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” said Shulman.
Citing several studies dating back to 1990 password picking choices Unix, they showed a password selection pattern similar to that which consumers use today: they generally care more about being able to remember the passwords than about the security.
Shulman said: “The problem has changed very little over the past 20 years. It’s time for everyone to take password security seriously; it’s an important first step in data security.
In 2006, an examination of 34,000 MySpace passwords found that 65 percent contained eight characters or less. Among the most common passwords for MySpace: abc123 and password.
“This means that the users, if allowed to, will choose very weak password even for sites that hold their most private data,” the Imperva study concluded.
Imperva’s analysis found that about 30 percent of users chose passwords of fewer than seven characters. Nearly 50 percent of people used names, slang words, dictionary words, or trivial passwords – consecutive digits, adjacent keys and so on.
Furthermore, in the paper, “Password Authentication from a Human Factors Perpective: Results of a Survey among End-Users” (PDF) written by Peter Hoonakker, Nis Bornoe and Pascale Carayon, from PROCEEDINGS of the HUMAN FACTORS and ERGONOMICS SOCIETY, the authors looked at an aggregate of research studies on Computer and Information Security (CIS) breaches and found some fascinating results on password use practices:
1. On an average, respondents have different 4.1 passwords to logon to different computers and/or access different computer applications at work. If we include passwords used at home that number increases to 9.
2. Eighteen percent of the respondents always use the same password to access the different computer systems, application or websites, 50% sometimes use the same password and sometimes another password, and 31% always use different passwords.
3. Sixty-three percent of the respondents who use more than one password make a difference between systems that need special protection (e.g. their office network) and systems for which they can use an easy to use and remember password.
4. On an average, respondents change their password 7 times a year, almost always prompted (96%) by their department.
5a. Fifty-six percent of the respondents use a long password (more than 8 characters);
5b. Seventy-nine percent use a combination of upper and lower cases and;
5c. Thirty-eight percent use special characters (e.g. #,*,^) when they change their password.
6. When they change their password, 68% of the respondents re-use their old password (e.g. password2007 becomes password2008).
7. Fifty-six percent of respondents write their passwords down.
8. Seven percent of respondents keep their username- /passwords in an electronic file (e.g. Word document).
9. Eighteen percent of the respondents who keep their password in an electronic file secure the electronic file(s) by password protecting or encrypting it.
10. One percent of respondents uses software to keep track of their passwords (e.g. Internet Explorer password manager, , Password manager, Roboform, etc).
11. Five percent of respondents share their password(s) with other people.
12. Thirty-eight percent of respondents use a password protected screensaver.
13. Seventy-nine percent of respondents use a screen lock. For example, they use Windows Lock Workstation option, meaning that they have to login again when they have left their computer and come back, using CTRL- ALT-DEL.
14. Thirty percent of respondents always log off when they step away from their computer.
15. Eighty-five percent of respondents always turn off their computer when they are done for the day.
When we select the respondents who deviate from Computer and Information Security (CIS) best practices with respect to password use, that is, the respondents who: always use only one password to access the different systems (1 and 2); who use a password shorter than or equal to 8 characters, do not use a combination of upper and lower cases or do not use special characters (5a, 5b, 5c); do re-use their old passwords (6); do write down their passwords (7); keep their passwords in an electronic file without protecting it (8 and 9) or who share passwords with other people, and analyze the data, results show that only 4% of the respondents do not deviate from the best practices with regard to password use, and that the other 94% do deviate from one or more best practices (see Table 2).
Table 2: Number of deviations from best password practices
|Deviations||N||Percent of Total|
On an average, respondents deviate 2.7 times from best practices for password use. If we include best practices with regard to leaving the computer unattended at the work place (#13-#15 in Table 1: respondents who do not use a screen lock, who do not always log off when they step away from the computer or do not turn off the computer when they are done for the day), and analyze the results again, results show that only 2% of the respondents do not deviate from the best practices.
Results of statistical analysis show that user type (novice, average, advanced or expert user) is the strongest factor related to the number of deviations. Gender, age, education, job position the organizational unit the respondents work in, and years of computer experience, are less important. For example, results of our analyses show that network administrators and super-users perform slightly better than normal end-users in the number of deviations from the password best practices, but the differences are not statistically significant (χ2=20.2, df =12, p=0.06).
Expert users and to a lesser extent advanced users perform significantly better than average users and novice users.
Reaching the following conclusion:
“The human factor is truly security’s weakest link”.
The use of alphanumeric usernames and passwords is the most often used (and also the cheapest) method of computer authentication. However, unfortunately human beings are limited in their information processing capabilities (Cowan, et al., 2008).
People either use simple passwords that are easy to remember but easy to crack or difficult passwords which are difficult to remember. Results of our study have shown that there are very few people who do not deviate from the best practices for password use. Respondents either use the same password all the time, or use relatively simple passwords; respondents re-use their old password; write passwords down; either on paper or store it in an electronic file without protecting it; respondents share passwords, etc.
In reality, the results are probably worse, because respondents do not like to admit that they deviate from the rules. Results also show that respondents who believe that it matters to pay attention to CIS deviate as often from best practices for password use as people who are cynical about CIS. These results indicate that it is not so much unwillingness of the end-users to adhere to the rules, but that they are not capable of “sticking to the rules”. Results of a study by Zhang et al (2009) showed that interference caused by having to use a series of passwords for the same account, or interference between different password- protected accounts is one of the most important reasons for multiple password recall errors, and is one of the most frustrating aspects of password authentication system for users.
In deviating from the best practices, end-users can make the best protected computer systems vulnerable. Problems with the use of alphanumeric passwords have been known for more than 20 years, but unfortunately, so far we have made little progress (Ives, Walsh, & Schneider, 2004).
If you would like to skip the mountains of recommendations you are about to encounter below, feel free to skip down to my recommendations.
Security guru Bruce Schneier has backed calls from Jesper Johansson, former Senior Security Strategist in the Security Technology Unit at Microsoft, urging users to write down their passwords. In years gone by scribbling down passwords on Post-It notes was often cited as a top security mistake but the sheer volume of passwords people are obliged to remember means people often use easily-guessed login details, another security faux-pas. Schneier – well known for his original thinking and ability to apply common sense to security issues – advocates a low-tech solution to the password conundrum.
“People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down,” Schneier writes in his latest Cryptogram newsletter.
Using a password database (such as his own free PasswordSafe utility) is one option. But Schneier is also enthusiastic about a much more low-tech approach – think of difficult-to-guess passwords, write them down and keep them on a bit of paper in your wallet.
“We’re all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet,” he writes.
The technique could be modified for a little extra security. “Obscure it somehow if you want added security: write “bank” instead of the URL of your bank, transpose some of the characters, leave off your user-id. This will give you a little bit of time if you lose your wallet and have to change your passwords. But even if you don’t do any of this, writing down your impossible-to-memorize password is more secure than making your password easy to memorize,” he concludes.
Additionally Schneier offers the following advice:
1. DO use a password manager such as those reviewed by Scott Dunn in his Sept. 18, 2008, Insider Tips column. Although Scott focused on free programs, I really like CallPod’s Keeper, a $15 utility that comes in Windows, Mac, and iPhone versions and allows you to keep all your passwords in sync. Find more information about the program and a download link for the 15-day free-trial version on the vendor’s site.
2. DO change passwords frequently. I change mine every six months or whenever I sign in to a site I haven’t visited in long time. Don’t reuse old passwords. Password managers can assign expiration dates to your passwords and remind you when the passwords are about to expire.
3. DO keep your passwords secret. Putting them into a file on your computer, e-mailing them to others, or writing them on a piece of paper in your desk is tantamount to giving them away. If you must allow someone else access to an account, create a temporary password just for them and then change it back immediately afterward.
No matter how much you may trust your friends or colleagues, you can’t trust their computers. If they need ongoing access, consider creating a separate account with limited privileges for them to use.
4. DON’T use passwords comprised of dictionary words, birthdays, family and pet names, addresses, or any other personal information. Don’t use repeat characters such as 111 or sequences like abc, qwerty, or 123 in any part of your password.
5. DON’T use the same password for different sites. Otherwise, someone who culls your Facebook or Twitter password in a phishing exploit could, for example, access your bank account.
6. DON’T allow your computer to automatically sign in on boot-up and thus use any automatic e-mail, chat, or browser sign-ins. Avoid using the same Windows sign-in password on two different computers.
7. DON’T use the “remember me” or automatic sign-in option available on many Web sites. Keep sign-ins under the control of your password manager instead.
8. DON’T enter passwords on a computer you don’t control — such as a friend’s computer — because you don’t know what spyware or keyloggers might be on that machine.
9. DON’T access password-protected accounts over open Wi-Fi networks — or any other network you don’t trust — unless the site is secured via https. Use a VPN if you travel a lot. (See Ian “Gizmo” Richards’ Dec. 11, 2008, Best Software column, “Connect safely over open Wi-Fi networks,” for Wi-Fi security tips.)
10. DON’T enter a password or even your account name in any Web page you access via an e-mail link. These are most likely phishing scams. Instead, enter the normal URL for that site directly into your browser, and proceed to the page in question from there.
On the other hand on September 8, 2009, the New Security Paradigms Workshop (NSPW) made available a research paper written by Cormac Herley, Principal Researcher at Microsoft Research titled, “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users.” (PDF Link)
Herley writes that, “users’ [in aggregate] rejection of the security advice they receive is entirely rational from an economic perspective.” Users continue to choose weak passwords and utilize poor password management, ignore security warnings, and remain oblivious to SSL certificates, such that while the advice does offer to shield them from the direct costs of attack, it burdens them with far greater indirect costs in the form of effort.
So is Herley really suggesting that it is entirely rational for users to reject security advice or does his paper perhaps point to an underlying flaw in security implementation? It would appear from the research that users are already rejecting security advice, and the underlying flaw may lie in the overwhelmed human capacity to process the random required information dictated by the continued enforcement of current rules and standards.
In his paper Herley examines three central aspects of security where much effort has been placed, but to little apparent effect:
- Password Rules
- Phishing site identification
- SSL certificate warnings
The purported goal of security advice is to protect users.
- Password strength rules protect them from brute-force attacks and guessing attacks.
- URL identification markers protect them from phishing attacks.
- Certificate warnings protect them from man in the middle (MITM) or web-spoofing attacks.
- The problem, Herley surmises, is that, “users perform an implicit cost/benefit calculation when deciding whether to follow security advice or not. The cost is the effort to follow the advice, while the benefit is avoidance of the harm that the attack might bring. The harm includes the monetary loss (if any) that victims endure, but also the time and effort the must spend resolving the situation with the bank,” in addition to the indirect costs, or negative externalities.
Herley concludes, “Given a choice between dancing pigs and security, users will pick dancing pigs every time. While amusing, this is unfair: users are never offered security, either on its own or as an alternative to anything else. They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security. We have shown that much of this advice does nothing to make users more secure, and some of it is harmful in its own right. Security is not something users are offered and turn down. What they are offered and do turn down is crushingly complex security advice that promises little and delivers less.”
Nonetheless, Herley offers this advice:
Passwords must consist of an adequate length.
Composition must include digits and special characters.
Passwords should not be contained within the contents of any dictionary [including other languages.
Many sites offer password strength meters that allow users to gauge the quality of [their] passwords. Web-sites with a very loose policy may merely insist on a minimum length. At the other extreme are the rules for truly strong passwords. For example Paypal recommends that a new password, ‘”is at least 8 characters long, is not a word you can find in the dictionary, includes both capital and low[er] case letters, and contains at least one special character.” In addition, there are many rules for how a user should handle the password once chosen. Again there is variation between the instructions offered by different sites. Commonly these rules include the following:
Don’t write down your passwords.
Don’t share your passwords with anyone.
Change your passwords often.
Don’t re-use passwords across multiple sites.
Rules 4-7 are merely the most common policies usually given to users. Additional rules often cover such matters as never caching a password at a third-party proxy, or re-using old password (e.g. cycling back to a previously-used password when a change is forced).
Peter Hoonakker, Nis Bornoe and Pascale Carayon have the following recommendations listed in their paper “Password Authentication from a Human Factors Perpective: Results of a Survey among End-Users” (PDF):
A possible method to improve password security is to use mnemonic techniques such as using the first letters of a relatively easy to remember phrase or sentence as a password (e.g. “star paliblic dash bang” becomes: “*paliblic-!”). The literature shows that passwords created this way are more difficult to crack than textual passwords (Kuo, Romanosky, & Cranor, 2006). There are websites that generate such passwords. However, using passwords that are more difficult to crack does not make them easier to remember.
There are also other solutions to overcome human limitations. For example several studies have shown that human beings are better at recognizing pictures than words or sentences (Shepard, 1967) and pictures are better stored in the long-term memory . Humans do not seem to have a specific limit regarding how many pictures can be stored in long term memory and pictures are easily remembered (Haber, 1970). Studies have shown that picture based passwords have a better memorability than alpha-numeric passwords and PIN numbers (Dhamija & Perrig, 2000). Graphical passwords are not a security “silver bullet”, but a possible alternative for usable yet secure authentication. Other, but more expensive solutions are token-based or smart card authentication, or the use of biometrics (fingerprints, retinal scan, etc.). However, even these more expensive systems are not bullet-proof (O’Gorman, 2003).
Most efficient are two- or three step authentication methods, for example a combination of a token based ands knowledge-based authentication (for example a smart card in combination with a PIN number), a combination of biometrics and passwords, or a combination of token-based authentication and biometrics, depending on the level of security needed (O’Gorman, 2003).
In the future, a better balance has to be found between the limitations of human beings and the desire for increased security. Several studies have pointed out the potential conflict between usability and security (Furnell, 2005; Renaud, 2005; Weir, Douglas, Carruthers, & Jack, 2009). Two- or three factor authentication is probably the most promising approach. However, also in two- or three factor authentication approaches, usability plays a crucial, if not a more important role. For example, in an interesting, recent study, Weir et al. (2009) compared three two-factors authentication methods for eBanking on security and usability. Results of the study show that two thirds of participants preferred the device that they perceived the least secure, but most user-friendly (Weir, et al., 2009). Thus, in the future, more research on how perceptions of usability, security, and convenience are related, are needed. Perceived usefulness, ease of use and user satisfaction determine (correct) use of technology, not the other way around (Davis, 1989)
Security firm Imperva makes the following recommendations in the analysis section of their report:
1. Choose a strong password for sites you care for the privacy of the information you store. Bruce Schneier’s advice advice is useful: “take a sentence and turn it into a password. Something like, “This little piggy when to the market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary.”
2. Use a different password for all sites – even for the ones where privacy isn’t an issue. To help remember the passwords, again, following Bruce Schneier’s advice it recommended: “If you can’t remember your passwords, write them down and put the paper in your wallet. But just write the sentence – or better yet – a hint that will help you remember your sentence.”
3. Never trust a 3rd party with your important passwords (webmail, banking, medical, etc.)
If you’ve made it this far I suspect you are seeing a significant part of the problem: copious amounts of recommendations that no “real” non-technology oriented person is going to make it through. They left the room long ago saying, “Thank you for the advice, now take this p******d and SHOVE IT,” and who could blame them?
There is one simple solution that Bruce Schneier recommended however, that makes the most sense to me: “use an encrypted password manager,” (such as his own free PasswordSafe utility, Callpod Keeper, or a more full featured encryption program like TrueCrypt to keep a master password file safely encrypted).
I used PasswordSafe many years ago and found it much easier than having to remember the 20 or so passwords I used at the time; you just had to remember one master key.
Later I began to use TrueCrypt for the purposes of encrypting all my “sensitive” data, and so started using it [in a separate encrypted container] as my primary password vault as well.
But I have a problem with either of these solutions: all of those listed [along with many others that are not] are installed locally on each device that you use, and as such offer no ability to sync multiple computers or devices [Callpod excepted for devices] location to location. This means you will be transferring your, “vault” or “container file” from location to location manually to sync them should the need arise.
One master password: Your LastPass master password is the only password you’ll ever need.
Automatic form filling: Set up multiple ‘profiles’ and automatically fill your personal information into web forms accurately and safely.
One click login: Easily log into your websites seamlessly with a single click of your mouse button.
Secure your data: Your sensitive data is encrypted on your PC. Only your LastPass password can unlock your data and only YOU have it.
Synchronize across browsers: Your data is securely synchronized across all devices giving you access to it anywhere at anytime.
Store secure notes: Your LastPass vault isn’t limited to only securely storing usernames and passwords – ANY confidential text data can be placed in your vault for safe keeping.
Share with friends: Securely share logins with friends and let them share logins with you and never worry about sending sensitive login credential by email ever again.
Import your data: Easily Import existing passwords from Internet Explorer, Firefox, RoboForm, 1Password, KeePass, MyPasswordSafe, Password Agent, Password Safe, Sxipper, Passpack and TurboPasswords.
Export your data: Export your data to a text file or into Firefox’s Password manager with a single click – even if you’re not connected to the Internet.
Backup & restore: An encrypted backup copy of your data is stored in your account at Lastpass.com. Securely and seamlessly restore your passwords if you change computers.
Generate secure passwords: Generate hack-proof passwords with a single click, knowing that you’ll never have to remember them or type them in ever again.
Universal access: Access and manage your data at home, work, or at an Internet Cafe online at LastPass.com.
Screen keyboard: Enter your password using your mouse on a virtual screen keyboard to protect yourself from keyloggers and keysniffers or use One Time Passwords.
One-time passwords: Access your LastPass vault using one time passwords when using untrusted computers or networks and never worry about revealing your actual LastPass master password.
Identities: Use Identities to control which sites you can access. For example, create a work identity that does not contain any of your personal accounts
Phishing protection: Automatically protect yourself from revealing your login credentials to phishing websites. LastPass will not fill your login credentials on any phishing websites.
Identify weak passwords: Run the LastPass Security Challenge to analyze your passwords for weaknesses and learn how you can maximize protection against identity theft.
LastPass is not the panacea for every password woe: there are issues with even this solution, but it represents a massive step towards simplifying-while-strengthening password generation, use and storage.
But it still requires a local install, which can be a problem in business environments where managed networks prohibit such behavior. I sent an email on this question to LastPass support, inquiring if the service can be accessed online in such situations where local installs are prohibited to which they responded:
I recommend putting Firefox portable on a USB thumb drive (and install LastPass on that). Your other option is to use LastPass pocket.
Unfortunately that again requires the manual transportation of a device, adding complication, which most non-technical people are just not going to bother with.
Keeping in mind this statement: “The human factor is truly security’s weakest link,” my recommendations would be to do the following:
Now: Use a password managing service like LastPass. Use one strong master password, use LastPass to generate site specific strong passwords and use it to store and manage them.
Future: I would suggest that all browser companies agree to an open set of standards for universal password generation, use and storage [e.g. LastPass] and incorporate them into each and every browser and OS, making the process persistent and ubiquitous – independent of browser or operating system platform.
Websites too would have to adopt a standard of accepting strong passwords – too many reject the characters used to create truly strong ones.
Perhaps then, instead of users saying, “Thank you for the advice, now take this p******d and SHOVE IT,” they will just say, “thank you,” and the weakest link – the human factor – will be eliminated.
Are you listening LastPass? Google? Microsoft? Mozilla? Apple? Linux? Opera? Talk amongst yourselves.
UPDATE 2110-07-12: LastPass was recently reviewed by Steve Gibson of GRC.com via his SecurityNow podcast: http://www.grc.com/sn/sn-256.htm